SaaS2025-06

Series A SaaS: Heroku to AWS, Enterprise-Ready in 4 Weeks

A Series A B2B SaaS company raised $6M and needed production-grade infrastructure before an enterprise pilot with a Fortune 500 customer. They had a Rails monolith on a single Heroku dyno and 8 weeks before the pilot.

Deploy Time
20 minutes (Heroku git push)
8 minutes (ECS rolling deploy)
Deploy Frequency
3–4/week
Daily
Incidents
No security controls documented
Full AWS security baseline with documented controls
Cost Impact
-
$6M enterprise pilot closed

The Challenge

Heroku worked for getting to product-market fit. The enterprise prospect's security team required infrastructure in a private cloud, documented access controls, and a SOC2 roadmap. The engineering team of 6 had never managed cloud infrastructure.

The Approach

Two parallel tracks: migrate to AWS with proper security controls, and produce the documentation the enterprise security review required. The goal was not full SOC2 certification but a credible roadmap with controls in place.

The Implementation

AWS foundation and security baseline

Multi-account AWS setup via Terraform: production, staging, and shared services accounts. CloudTrail, AWS Config, GuardDuty, and Security Hub enabled from day one. IAM roles with least-privilege, MFA enforced on all accounts.

AWS OrganizationsTerraformCloudTrailGuardDutyAWS Config

ECS Fargate migration from Heroku

We containerised the Rails application and migrated to ECS Fargate. RDS PostgreSQL replaced Heroku Postgres. Secrets moved to AWS Secrets Manager. Zero-downtime blue-green cutover.

AWS ECS FargateAWS RDS PostgreSQLAWS Secrets ManagerDocker

CI/CD pipeline with security gates

GitHub Actions pipeline with dependency scanning (Snyk), Docker image scanning (Trivy), automated tests, and staging deploy on every merge. Production deploys require a logged manual approval.

GitHub ActionsSnykTrivyAWS ECR

Compliance documentation package

Network architecture diagram, data flow diagram, access control policy, incident response runbook, and a SOC2 gap assessment showing controls in place and the roadmap to Type I certification.

AWS VPCLucidchartNotion

Key Takeaways

  • Enterprise deals are won or lost in the security review - infrastructure controls and documentation are as important as the product
  • Multi-account AWS from the start prevents staging mistakes from touching production data
  • Fargate eliminates EC2 management overhead for small teams - no patching, no AMI management
  • A SOC2 gap assessment showing a credible roadmap is often sufficient to unblock an enterprise pilot

Facing Similar Challenges?

Book a free 30-minute audit and I will tell you what I see.

Book Free Audit
All case studies